From: Brendan Trotter <btrotter@gmail.com>
To: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: The development of GNU GRUB <grub-devel@gnu.org>,
Ard Biesheuvel <ardb@kernel.org>,
Daniel Kiper <daniel.kiper@oracle.com>,
Alec Brown <alec.r.brown@oracle.com>,
Kanth Ghatraju <kanth.ghatraju@oracle.com>,
Ross Philipson <ross.philipson@oracle.com>,
"piotr.krol@3mdeb.com" <piotr.krol@3mdeb.com>,
"krystian.hebel@3mdeb.com" <krystian.hebel@3mdeb.com>,
"persaur@gmail.com" <persaur@gmail.com>,
"Yoder, Stuart" <stuart.yoder@arm.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
"michal.zygowski@3mdeb.com" <michal.zygowski@3mdeb.com>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"lukasz@hawrylko.pl" <lukasz@hawrylko.pl>,
linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
James Morris <jmorris@namei.org>
Subject: Re: Linux DRTM on UEFI platforms
Date: Fri, 12 Aug 2022 12:52:58 +0930 [thread overview]
Message-ID: <CAELHeEcfHSXewFCywsYeN_g8Q_BNG+4tP-QENO5QBw8Dj91yMA@mail.gmail.com> (raw)
In-Reply-To: <20220811182502.GA32433@srcf.ucam.org>
Hi,
On Fri, Aug 12, 2022 at 3:55 AM Matthew Garrett <mjg59@srcf.ucam.org> wrote:
> On Thu, Aug 11, 2022 at 07:25:58PM +0930, Brendan Trotter wrote:
> > On Thu, Aug 11, 2022 at 3:16 AM Matthew Garrett <mjg59@srcf.ucam.org> wrote:
> > > The kernel has no way to know this - *any* code you've run before
> > > performing a measurement could tamper with the kernel such that it
> > > believes it's fine. This is just as true in DRTM as it is in SRTM. But
> > > you know what the expected measurements should be, so you're able to
> > > either seal secrets to those PCR values or rely on remote attestation.
> >
> > In this scenario the kernel has no idea what the measurement should
> > be, it only knows the measurement that a potentially malicious boot
> > loader felt like giving the kernel previously (e.g. when the kernel
> > was installed).
>
> Even if the kernel has an idea of what the measurement should be, it has
> no way to verify that what it believes to be true is true - any
> malicious code could simply have modified the kernel to believe that
> anything it asks the TPM returns the "correct" answer.
Right. To achieve the best possible security; you'd need Secure Boot
to ensure that the kernel itself wasn't modified, and then the kernel
establishes a dynamic root of trust itself.
Anything involving a boot loader (e.g. Secure Boot ensure's boot
loader wasn't modified, then boot loader ensure's kernel wasn't
modified, then ....) increases the attack surface for no benefit.
> > > Measurements are not opaque objects. If you're not able to reconstruct
> > > the expected measurement then you're doing it wrong.
> >
> > OK; so to detect if boot loader has always given kernel a bad/forged
> > measurement; the kernel repeats all of the steps involved in creating
> > the measurement itself exactly the same as the boot loader should have
> > (but might not have) so that kernel can compare a "known
> > good/trustworthy" measurement with the useless measurement that the
> > boot loader created for no sane reason whatsoever?
>
> No, some external agent does. Code running on the local machine can
> never determine whether the machine is trustworthy.
This part of the conversation evolved from "there's no way for kernel
to detect a MiTM boot loader (that provides a bad/forged
measurement)".
I'm not convinced an external agent can detect "bad/forged
measurement" either. E.g. if a MiTM boot loader always provided a
bad/forged measurement the external agent won't detect it (as the
measurement always matches the expected measurement), and then if the
MiTM boot loader is replaced by a good/honest boot loader the external
agent will decide that the good/honest boot loader is malicious
because its measurement doesn't match the expected bad/forged
measurement.
- Brendan
next prev parent reply other threads:[~2022-08-12 3:23 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-29 17:40 Linux DRTM on UEFI platforms Matthew Garrett
2022-03-30 7:02 ` Ard Biesheuvel
2022-03-30 7:11 ` Matthew Garrett
2022-03-30 7:12 ` Ard Biesheuvel
2022-03-30 7:18 ` Matthew Garrett
2022-03-30 7:23 ` Ard Biesheuvel
2022-03-30 7:27 ` Matthew Garrett
2022-03-30 7:39 ` Ard Biesheuvel
2022-03-30 12:46 ` James Bottomley
2022-03-31 0:35 ` Daniel P. Smith
2022-03-31 7:13 ` Ard Biesheuvel
2022-03-31 10:59 ` Heinrich Schuchardt
2022-05-19 20:57 ` Daniel P. Smith
2022-05-19 20:57 ` Daniel P. Smith
2022-06-10 16:40 ` Ard Biesheuvel
2022-07-05 18:35 ` Daniel P. Smith
2022-07-06 0:03 ` Brendan Trotter
2022-07-06 0:12 ` Matthew Garrett
2022-07-07 9:46 ` Daniel P. Smith
2022-07-08 3:36 ` Brendan Trotter
2022-07-08 4:56 ` Matthew Garrett
2022-07-22 17:23 ` Daniel P. Smith
2022-07-23 5:15 ` Brendan Trotter
2022-08-09 10:53 ` Daniel P. Smith
2022-08-10 9:07 ` Brendan Trotter
2022-08-10 17:46 ` Matthew Garrett
2022-08-11 9:55 ` Brendan Trotter
2022-08-11 11:34 ` Daniel Kiper
2022-08-11 18:25 ` Matthew Garrett
2022-08-12 3:22 ` Brendan Trotter [this message]
2022-08-12 5:54 ` Matthew Garrett
2022-08-05 12:53 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAELHeEcfHSXewFCywsYeN_g8Q_BNG+4tP-QENO5QBw8Dj91yMA@mail.gmail.com \
--to=btrotter@gmail.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=alec.r.brown@oracle.com \
--cc=andrew.cooper3@citrix.com \
--cc=ardb@kernel.org \
--cc=daniel.kiper@oracle.com \
--cc=grub-devel@gnu.org \
--cc=jmorris@namei.org \
--cc=kanth.ghatraju@oracle.com \
--cc=krystian.hebel@3mdeb.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukasz@hawrylko.pl \
--cc=michal.zygowski@3mdeb.com \
--cc=mjg59@srcf.ucam.org \
--cc=persaur@gmail.com \
--cc=piotr.krol@3mdeb.com \
--cc=ross.philipson@oracle.com \
--cc=stuart.yoder@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).